Documents released by whistleblower Edward Snowden have revealed that the National Security Agency has powerful capabilities to identify and spy on users of the Tor network, three of my colleagues report. But what's Tor? How do the attacks work? And what does all this mean for Internet security? Read on to find out.
Tor originally stood for The Onion Router. It's a worldwide network of servers designed to help users browse the Web anonymously, along with software to access the network.
The open-source software was developed 11 years ago with funding from the U.S. military, but no single person or organization controls the network as a whole.
How does it work?
The Tor service disguises a user's identity by bouncing traffic among several different Tor servers, or nodes. The packets are encrypted in a way that ensures that each link in the chain only knows about the links immediately before and after it. As a result, when a packet emerges from the Tor network, no one can figure out who sent it.
That sounds really complicated. Can ordinary users use it?
To make the system easier to use, the Tor project provides the Tor Browser Bundle. That's a version of the Firefox Web browser that's been pre-configured to send all of its traffic through the Tor network. So to anonymize your traffic, all you do is download the Tor version of Firefox and use it like you would an ordinary Web browser. No special configuration or technical knowledge is required.
That sounds really easy. Why doesn't everyone do that?
Encrypting your packets and bouncing them around the Internet isn't costless. All that extra work means that browsing the Web via Tor feels sluggish compared to using a conventional browser.
If anonymity is important to you — say, you're a dissident in a repressive country, a corporate whistleblower or the owner of a Bitcoin-based drug marketplace — that extra sluggishness is well worth the trouble. But for most of us, the anonymity of Tor is overkill, so we don't use it.
And that's a good thing, because the Tor network has limited capacity. Tor nodes are donated by governments, institutions and private individuals who want to promote privacy. There's never quite enough to go around, so the network is often congested.
Is the Tor network secure?
As far as we know, yes. Even the NSA has struggled to spy on the network. "We will never be able to de-anonymize all Tor users all the time," a slide from a 2007 NSA presentation stated. "With manual analysis we can de-anonymize a very small fraction of Tor users." But at least as of 2007, the NSA didn't have any techniques that would allow them to target particular users on demand.
Then what's this about the NSA spying on Tor users?
Remember I said earlier that the most popular way to use Tor is to download the Tor Browser Bundle? Well, Web browsers are much more complicated than stand-alone Tor software. So while hacking the core Tor network has proven difficult, hacking a Tor user's browser is easier.
According to the Guardian, the NSA's attack works by "implanting malicious code on the computer of Tor users who visit particular websites." The malicious code is designed to target vulnerabilities that exist in the version of Firefox that's in the Tor Browser Bundle.
This sounds familiar. Wasn't the government accused of using a compromised server to serve malware to child pornography suspects in July?
Yes. The FBI recently admitted that it had taken control of Freedom Hosting, a company that provides Tor hidden services, in July. The server began serving malware that "exploited a security hole in Firefox to identify users of the Tor Browser Bundle." That apparently allowed the NSA to identify people who had been browsing a Tor hidden service for child pornography.
It looks like the compromise of Freedom Hosting was one use of the NSA's powerful capacity to attack users of the Tor Browser Bundle.
So this attack depends on the target visiting an NSA-controlled Web site?
Ordinarily it would, but according to Bruce Schneier, who has been working with the Guardian's investigative team, the NSA has the ability to impersonate Web sites it doesn't control to inject malicious code.
"The NSA places secret servers, codenamed Quantum, at key places on the internet backbone," Schneier writes. These servers intercept requests for legitimate websites and respond before the legitimate server can reply. The Quantum server's response redirects the target's browser to an NSA-controlled web server that sends the browser malware.
That sounds like a sophisticated attack. What kind of infrastructure is required to carry it out?
Executing this type of attack, known as "man in the middle," requires working closely with Internet backbone providers. Major telecommunications companies apparently allow the NSA to install equipment in their facilities and tap into the streams of data they transmit.
The NSA also has a secret network of sophisticated Web servers to deliver the malware, Schneier writes. Servers in this system, code-named FoxAcid, install malware capable of burrowing deep into the target computer, making it difficult to detect or remove. The malware can spy on the user and report back to the NSA with information.
Schneier reports that "By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all."
Could that same infrastructure be turned against people who aren't using Tor?
It seems that way. While the specific attacks disclosed today focused on users of the Tor Browser Bundle, the Quantum and FoxAcid program could be used to attack any user whose browser had vulnerabilities known to the NSA. And new browser vulnerabilities are discovered on a regular basis. In other words, there's a good chance the NSA could use systems like Quantum and FoxAcid hack into the computer you're using to read this right now if it wanted to.
Where can I read the NSA documents that Ed Snowden leaked regarding Tor surveillance?